New submission from Stephen Farris:

The dumbdbm module uses an unchecked call to eval() in the _update method, 
which is called in response to a call to dumbdbm.open(), and is used to load 
the index from the directory file.  This poses a security vulnerability because 
it allows an attacker to execute arbitrary code on the victim's machine by 
inserting python code into the DBM directory file.  This vulnerability could 
allow an attacker to execute arbitrary commands on the victim machine, 
potentially allowing them to deploy malware, gain system access, destroy files 
and data, expose sensitive information, etc.

----------
components: Library (Lib)
messages: 231255
nosy: Guido.van.Rossum, lemburg, stephen.farris
priority: normal
severity: normal
status: open
title: Arbitrary code execution vulnerability due to unchecked eval() call in 
dumbdbm module
type: security
versions: Python 2.7

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue22885>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to